RFI_ITI_LOB - Federal Business Opportunities

lovingbangInternet and Web Development

Nov 3, 2013 (4 years and 1 month ago)

87 views


Synopsis:


REQUEST FOR INFORMATION (RFI):

The GSA Office of the Chief Information Officer
(OCIO), in concert with the IT Infrastructure Line of Business (ITI LoB), requests Capability
Statements
and

responses to
Business Model, Pricing Model, and Service
Level Agreement (SLA)
questions
,

1 through 5
,

from
vendors

who
provide ‘Infrastructure as a Service’ (I
aa
S) service
offerings.


NOTE:

This announcement is posted for data gathering and planning purposes only, DOES NOT
constitute a solicitation, and is not
to be construed as a commitment by the Government to issue a
solicitation or award a contract. The Government will not reimburse any respondent for any cost
associated with information submitted in response to this RFI.


HOW TO RESPOND
: Responses to this R
FI shall not exceed Twenty
-
five (25) pages and shall be
received via email to
Jacquelyn.Mcintyre@gsa.gov

not later than 05:00 PM EDT,

May 26
,

2009.
Please provide a Capability Statement which describes the

respondent’s corporate capabilities and
experience relevant to the IaaS arena, supplemented by the following requested information:


BACKGOUND:

The IT Infrastructure Line of Business (ITI LoB) is a government
-
wide initiative
sponsored by the Office of Man
agement and Budget (OMB). The ITI LoB focuses on the effective
use of IT Infrastructure systems, services and operational practices in the federal government.


The General Services Administration (GSA) has been designated by OMB as the Managing Partner
for

this initiative, but governance is shared across more than two dozen agencies.

REFERENCES
:
The source of
the
following working definition is the National Institute of
Standards and Technology (NIST) Information Technology Laboratory (ITL).

The final vers
ion is
to be published in the upcoming NIST Special Publication on Cloud Computing and Security.

Definition of Cloud Computing:

Cloud computing is a pay
-
per
-
use model for enabling available, convenient, on
-
demand network
access to a shared pool of configur
able computing resources (e.g., networks, servers, storage,
applications, services) that can be rapidly provisioned and released with minimal management
effort or service provider interaction. This cloud model promotes availability and is comprised
of

five

key characteristics,

three
delivery models
, and four
deployment models
.


Key Characteristics:

On
-
demand self
-
service.

A consumer can unilaterally provision computing capabilities, such as
server time and network storage, as needed
,

without requiring human

interaction with each service's
provider.

Ubiquitous network access.

Capabilities are available over the network and accessed through
standard mechanisms that promote use by heterogeneous thin or thick client platforms (e.g., mobile
phones, laptops, and P
DAs).

Location independent resource pooling.

The provider's computing resources are pooled to serve all
consumers using a multi
-
tenant model, with different physical and virtual resources dynamically
assigned and reassigned according to consumer demand. Th
e customer

generally has no control or
knowledge over the exact location of the provided resources. Examples of resources include
storage, processing, memory, network bandwidth, and virtual machines.

Rapid elasticity.

Capabilities can be rapidly and elasti
cally provisioned to quickly scale up and
rapidly released to quickly scale down. To the consumer, the capabilities available for rent often
appear to be infinite and can be purchased in any quantity at any time.

Pay per use.

Capabilities are charged using

a metered, fee
-
for
-
service, or advertising based billing
model to promote optimization of resource use. Examples are measuring the storage, bandwidth,
and computing resources consumed and charging for the number of active user accounts per month.
Clouds w
ithin an organization accrue cost between business units and may or may not use actual
currency.

Note:

Cloud software takes full advantage of the cloud paradigm by being service oriented with a
focus on statelessness, low coupling, modularity, and semantic

interoperability.

Delivery Models:

Cloud Software as a Service (SaaS).

The capability provided to the consumer is to use the
provider's applications running on a cloud infrastructure and accessible from various client devices
through a thin client interfa
ce such as a Web browser (e.g., web
-
based email). The consumer does
not manage or control the underlying cloud infrastructure, network, servers, operating systems,
storage, or even individual application capabilities, with the possible exception of limited

user
-
specific application configuration settings.

Cloud Platform as a Service (PaaS).

The capability provided to the consumer is to deploy onto the
cloud infrastructure consumer
-
created applications using programming languages and tools
supported by the p
rovider (e.g., java, python, .Net). The consumer does not manage or control the
underlying cloud infrastructure, network, servers, operating systems, or storage, but the consumer
has control over the deployed applications and possibly application hosting e
nvironment
configurations.

Cloud Infrastructure as a Service (IaaS).

The capability provided to the consumer is to rent
processing, storage, networks, and other fundamental computing resources where the consumer is
able to deploy and run arbitrary software
, which can include operating systems and applications.
The consumer does not manage or control the underlying cloud infrastructure but has control over
operating systems, storage, deployed applications, and possibly select networking components
(e.g., fir
ewalls, load balancers).

Deployment Models:

Private cloud.

The cloud infrastructure is owned or leased by a single organization and is operated
solely for that organization.

Community cloud.

The cloud infrastructure is shared by several organizations and s
upports a
specific community that has shared concerns (e.g., mission, security requirements, policy, and
compliance considerations).

Public cloud.

The cloud infrastructure is owned by an organization selling cloud services to the
general public or to a lar
ge industry group.

Hybrid cloud
. The cloud infrastructure is a composition of two or more clouds (internal,
community, or public) that remain unique entities but are bound together by standardized or
proprietary technology that enables data and application

portability (e.g., cloud bursting).



Each deployment model instance has one of two types: internal or external. Internal clouds reside
within an organizations network security perimeter and external clouds reside outside the same
perimeter.

Note 1: Cloud

computing is still an evolving paradigm. Its definitions, use cases, underlying
technologies, issues, risks, and benefits will be refined in a spirited debate by the public and private
sectors. These definitions, attributes, and characteristics will evolv
e and change over time.


Note 2: The cloud computing industry represents a large ecosystem of many models, vendors, and
market niches. This definition attempts to encompass all of the various cloud approaches.


1.

Please address the following Business Model,

Pricing Model and Service Level Agreement
(SLA)
questions:


1.1.

What is the scope and nature of your IaaS offerings, including comput
ing

as
-
a
-
service, file
storage as
-
a
-
service, and associated administration capabilities? Please identify and
explain. Note tha
t for the purposes of this RFI we are not focused on platform
-
as
-
a
-
service
or application sandboxing for test purposes, though you may suggest synergy between your
IaaS offerings and other offerings.

1.2.

Describe in general terms your I
aa
S pricing model as it
relates to CPU, memory, storage,
bandwidth
,

data transfer capacity
, and other relevant pricing
.

1.3.

Describe your capability to offer hosting services
, including any capabilities for server
provisioning, preconfigured system images and applications stacks, man
agement, operating
system patching, security software, and other managed services
.


1.4.

Describe the standard SLAs, if any, that are included in your cl
oud computing service
offerings.

Please detail SLAs on the overall service as well as SLAs for the specific
customer instances in use, such as a given virtual server, storage volume, or other service
unit.

1.5.

Do you offer the flexibility of negotiated custo
mer
-
specific SLAs

or

only fixed
offerings
?

1.6
Please provide
past performan
ce information,

to include recen
t and relevant contracts for
the same or similar items and other references (including contract numbers, points of contact
with telephone numbers and other relevant information).


2.

Please address the following Operational Support questions:


2.1.

Describe the co
re components of ensuring availability from your perspective (e.g. # of
locations, # of locations at
Internet Exchange Points

(IXP
)?

2.2.

Are you
Border Gateway Protoc
o
l (BGP)

Peered?

2.3.

Is your network dual homed? If so, with whom?

2.4.

How are

you able to prioritize
our traffic if need be?

2.5.

Do you maintain any industry certification standards such as
ITIL, ISO 20,000, and/or
CMMI?

2.6.

How do you maintain effective levels of patch management on the Operating Systems,
VMs and/or hypervisors

in an open virtualization environm
ent
?

2.7.

Describe your handling of potential availability issues such as significant cloud computing
outage, high network load or insufficien
t bandwidth access
.

What is your mitigation
strategy in case of potential network outages, bandwidth shortages, or spik
es in service
demand?

2.8.

What types and combinations of CPU processors, virtualization formats, and operating
systems are supported by your service? In addition, what capabilities are there for testing
various combinations of these?

2.9.

What kind of trouble ticke
ting system do you have
, and is it visible from our site?

2.10.

What level of automatic alerting can you provide

to our support staff in the event of

failure
, degraded service, or exceeded

planned utilization
?


2.11.

Please d
escribe

your
system for IT address assign
ment and persistence in a virtual
environment.

2.12.

Please identify which ports are allowed or accessible through your infrastructure (i.e. 25,
80, 139, and 443) and which we might assume would be blocked.
Are a
ny unique ports
or
API calls
required?

2.13.

Describe y
our IP

Management in a virtual environment. Can you provide
renewal
capabilities, including level of support for static IP address
ing
?

2.14.

Describe how you
manage

domain

controllers in a
Demilitarized Zone (
DMZ
)
.

2.15.

Describe how you manage remote administration f
or provisioning and
Virtual Machine
(
VM
)

access.



3.

Please address the following Data Management questions:


3.1.

Describe your handling of data isolation, data recovery and handling/security

of data at rest
and in transit.


3.2.

Can

you guarantee that data w
ill rema
in within the continent
al United States
, both in transit
and at rest
? If so, how?

3.3.

Describe your roles and responsibilities regarding data ownership
, e.g. logging data
.

3.4.

Describe your method for getting customer's data back in
-
house
either
on demand or in
ca
se of contract termination for any reason.

3.5.

How would you handle data remnants throughout their service lifecycle?

3.6.

Who owns the Intellectual Property for
artif
a
c
ts

developed in or
hosted in your cloud?


4.

Please address the following Security questions:


4.1.

Des
cribe your security architecture around the cloud services that you provide
, including

Open Systems Interoperability
layers 1
-
4
. Please provide an overview of your methods to
limit data dispersal to unauthorized entities.

4.2.

Please explain how you provide phy
sical security in a shared tenant environment.

4.3.

Describe your approach
to

addressing IT security challenges in cloud computing, in
particular
-

dealing with hacker attacks, the potential for unauthorized access, and
inappropriate use of propr
ietary data and

IT applications.
What are your processes and
solutions for preventing these challenges from occurring?

4.4.

Describe the cloud computing authentication models that you think would be most
effecti
ve for Government administrative

use.

Describe how your service o
ffering could
enable
eDiscovery,
forensic analysis,
auditability
, and other similar governance
requirements
.

4.5.

Detail your support for Security Assertion Markup Language

(SAML)

services
.

4.6.

What approaches for encryption key management do you support
?

Describe
how you
manage

them
.

4.7.

List and describe any NIST 800
-
53

rev 3

(FISMA) controls that may be challenging to
achieve within your I
aa
S services
provided in a cloud environment
.

What other
certifications and compliance standards do you support, have third party
certification for,
or comply with, such as HIPAA, PCI, and SAS 70?

4.8.

To what extent h
ave you implemented
DNSSEC
?


http://csrc.nist.gov/publications/nistpubs/800
-
81/SP800
-
81.pdf


4.9

What is your level of support for full IPv6 capabilities, especially in the network, in
Domain Name System (DNS), storage, and any operating systems that you provide
?

P
lease detail any capabilities that are not fully IPv6 compliant
.


4.10

What kind

of intrusion detection and intrusion prevention systems do you
use
,
and
are
your customers provided access to these?

4.11


Identify what parts of
your infrastructure
are FIPS 140
-
2 compliant.

4.12

What controls are in place for admin
istrative

access, both internal
to your company and
for admin
istrative

access from government clients?

Please include discussion of
administrator controls over provisioning.

4.13


Describe how
penetration testing

and
source code analysis

is performed in a cloud

environment.

5

Please address the following Interoperability and
Portability

que
stions:


5.1
Describe your recommendations rega
r
ding
“cloud
-
to
-
cloud


communication and ensuring
interoperability of clou
d solutions.

5.2
Describe your experience in weaving together multiple different cloud computing services
offered by y
ou, if any, or by

other vendors.

5.3
As part of your service offering, describe
the

tools
you support
for integrating with other
vendors in terms of monitoring and managing mu
ltiple cloud computing services.

5.4
Please explai
n application portability; i.e.

exit strategy fo
r applications running in your
cloud, should it be necessary to vacate.

5.5
Describe how you prevent vendor lock in.